Rethinking Your Data Protection for a Post-Brexit World
Brexit. It hasn’t even happened yet but it’s already creating a litany of questions — and more than a few headaches — for governments, companies and consumers across the EU, within the UK and on the US side of the pond as well.
With potential disruptions to one of the biggest EU markets for US companies looming, marketing and information management teams across industries are looking to the future to see how the transition will alter existing data protection regulations, particularly the General Data Protection Regulation (GDPR) and the Privacy Shield.
Will organizations’ current approaches to those key customer data requirements need to change following Brexit? And what can organizations be doing now to get ready?
Revisiting the General Data Protection Regulation (GDPR)
By way of background, the General Data Protection Regulation (GDPR) — also known as Regulation (EU) 2016/679 — is part of the EU’s evolving initiative to standardize and improve data protection for individuals within the European Union.
Aimed at improving the climate for international business by unifying the EU’s overall regulatory environment, GDPR also governs the export of personal data outside the EU. Starting in May 2018 when the regulation takes effect, any organization that handles an EU citizen’s data must abide by GDPR regulations.
What Is the Privacy Shield?
Privacy Shield, which replaced the earlier Safe Harbor program after it was invalidated by a legal challenge, was designed jointly by the US Department of Commerce and the European Commission to provide a framework for organizations to comply with EU data protection requirements through a self-certification process.
Businesses based in the US that transfer data back and forth between domestic operations and the EU fall under both the Privacy Shield agreement and GDPR.
Good News on Timing?
Now, just as businesses were getting comfortable with Privacy Shield and GDPR, Brexit raises new concerns that things may soon change again to accommodate a UK-less EU.
One piece of good news for companies worried about how the privacy landscape may morph in the future, is that it appears there will be plenty of time to work through the details of Brexit’s impact on data protection regulations.
It will take the UK at least a few years to develop a plan to leave the EU and formally complete its exit, with the possibility that Parliament could delay the process even further. Meanwhile, all participants will continue to operate under existing laws in the meantime.
Weakened Regulations Aren’t Likely
Another positive aspect is that the facilitation and support of continued business dealings between firms in the US, the UK and the EU is a top priority for most of the parties that will be responsible for hammering out the details around Brexit.
That translates to very little risk that either the UK or the EU will want to see their data protection regulations weakened as a result of Brexit. Instead, all participants will likely work to adopt one or more agreements similar to the GDPR and Privacy Shield regulations that are in place now.
That makes any decisions about how to approach data protection strategies infinitely easier for firms doing business in or with the EU, since there’s very little chance that any future regulations will be less stringent than those currently in effect.
How to Look Toward the Future
So, until the Brexit process is complete, little about data privacy regulations will change. However, it’s never too early for businesses to adopt their own internal strategies aimed at keeping customers’ information safe.
These same procedures can also help firms avoid potential exposures and any resulting penalties, no matter how the regulatory environment shakes out.
For example, the EU’s current mandates include requirements for assessing internal policies. Proactively implementing these programs can help businesses be ready for a changing privacy landscape while complying with existing laws.
There’s No Erasing the ‘Right to Erasure’
Consumers’ “right to erasure” and other legal remedies are also key points that are unlikely to disappear in future iterations of privacy regulations. Implementing data privacy and protection procedures that support these efforts will serve businesses well going forward, no matter what Brexit’s precise impact on the information management landscape.
By focusing on existing consumer protections and data privacy best practices, organizations can create internal procedures that will meet current regulatory obligations and serve as a solid foundation for the post-Brexit era, wherever it may take us.
Title image by Mauro Mora
Tom Spier is director of International Markets at London-based IDT911. He has 13 years’ experience in the insurance and identity industries, including roles in claims and underwriting.